Resolutions, opinions and reports search tool

The Public Health Agency of Catalonia communicated to the Labour Risk Prevention Services of the Catalan company in which it provides services denouncing the list of staff who did not have the complete pattern of vaccination against COVID-19. This communication was carried out within the framework of a vaccination campaign by the Health Department. In this respect, the communication in question does not contravene data protection regulations, insofar as both occupational risk prevention regulations and public health regulations empower health authorities to establish mechanisms for collaboration with the occupational risk prevention services of private companies.

It resolves to dismiss the request of the holder because restricting access to the health data of the holder, to all administrative, IT and citizen management staff of the Health Department, who may need access to it in the performance of their duties, would seriously distort the functioning and organisation of the health system. Furthermore, to the extent that the claimant also intended that the Ministry should enforce its right of opposition "in a global way and not individually", in relation to data relating to his or her health, which is treated at all Hospitals of Catalonia and Primary Care Centers, it is decided to also dismiss this claim, insofar as the Ministry of Health is not responsible for all the treatments pointed out by the claimant.

Personal data protection regulations do not prevent the dissemination of information relating to deceased persons. The minutes of the plenary sessions, with regard to the acts discussed, must be published in the electronic headquarters of the City Council without including specially protected data categories, or affecting honour or privacy or requiring special protection. In this case, the consent of those concerned should be made available so that the minutes can be disseminated, or the information anonymized should be disseminated. After 30 years, the provisions of Article 36 of Law 10/2001 may come into play. There is no legal basis for the dissemination, with a general scope, of the information contained in the municipal godparents of inhabitants on the city council website, without prejudice to the dissemination of the anonymized information of the godfather.

It is decided to sanction Badalona Health Services for the infringement of the principle of confidentiality, since the complained entity has confirmed that a worker from Badalona Municipal Hospital, managed by Badalona Health Services S.A, would have unduly accessed a third person's clinical history. The proposed sanction is EUR 2 000.

It is decided to file the present complaint, given that the accused City Council and, in particular, the Chief Inspector of the Local Police, included references to the data on the person's health reporting - who holds the status of local agent - since these were necessary to resolve the desirability of initiating a disciplinary file against him, for alleged withdrawal from service on health grounds. Thus, this Authority concludes that the processing of controversial personal data was covered by Article 6.1e) - processing carried out in the exercise of public powers - and that the circumstances provided for in Article 9.2 (f) and g) GDPR, which lift the prohibition on processing health data in Article 9.1 (GDPR).

The complainant complains that they made him send medical documentation by email and that this would facilitate access to medical data by non-health administrative staff. RA is issued since this was an exceptional shipment since the patient requested urgent assistance by phone for the prescription of pain medication and since the last medical report was not yet included in the HC3, since the same one had been issued day at another medical center, he was asked to send it by e-mail in order to carry out the medical prescription. These emails are managed by the administrative staff entrusted with these functions and, moreover, management does not involve access to medical documentation; only if it becomes essential for the performance of its functions. Art. 16 Law 41/2022.

RA is being prepared because the complainant was the one who in a workplace revealed his or her COVID (and his/her) results to other partners. He did so for organisational purposes. At the same time, his boss communicated the results (and those of his wife) to a colleague in charge of carrying out organizational functions. Although it was not necessary to disclose data on his wife's results, it would be disproportionate to hold the complainant responsible for this fact, when it was the complainant himself who revealed the information in a voluntary, trusted environment amongst colleagues. It should also be noted that the complainant confirmed that he had carried out an access audit and confirmed that there had been no access to the complainant's data.

Since the regulation urges the Public Administration to facilitate the use of the "sense name" by trans persons (art. 23.1 Law 11/2014), the processing of this data is not excessive for the purposes of the principle of minimisation, and may be lawful if carried out on the legal basis of the consent of the person concerned. Treatment of the "sense name", as identifying data relating to a natural person's gender identity or expression, does not, in principle, involve processing data from special categories. The identification information of the person concerned must also be dealt with in official documents (DNI/NIE or passport), in order to ensure the identification and, among other things, the principle of the accuracy of the information and its traceability.

The hospital could communicate pseudonymized data relating to the health of patients treated with medicines for compassionate use in the pharmaceutical laboratory that facilitates the drug for clinical research purposes (Article 9.2.j) GDPR and paragraph 2.d) of DA 17a LOPDGDD) on the basis of the legitimate interest pursued by the laboratory.